Method and device for monitoring data communications

ABSTRACT

A method for monitoring data communications in a communications system, which includes a plurality of subscribers and a communications medium jointly usable by the subscribers. The method includes the following steps: ascertaining the subscribers of the communications system; forming a first collection of possible messages, which may be sent by at least one of the ascertained subscribers via the communications medium; and ascertaining messages transmitted via the communications medium; evaluating the ascertained messages.

CROSS REFERENCE

The present application claims the benefit under 35 U.S.C. 119 of GermanPatent No. DE 102018217964.6 filed on Oct. 19, 2018, which is expresslyincorporated herein by reference in its entirety.

FIELD

The present invention relates to a method for monitoring datacommunications in a communication system, which includes a plurality ofsubscribers and has a communications medium (shared medium) jointlyusable or shared by the subscribers.

The present invention also relates to a device for implementing such amethod.

BACKGROUND INFORMATION

Conventional methods and devices for monitoring data communicationsgenerally require special hardware and/or complex signal processing.

SUMMARY

An object of the present invention to improve a method and a device formonitoring data communications is to reduce or prevent the disadvantagesof the related art.

Preferred specific embodiments of the present invention include a methodfor monitoring data communications in a communications system, whichincludes a plurality of subscribers and has a communications mediumjointly usable by the subscribers (or shared (in particular, among thesubscribers)); the method including the following steps: ascertainingthe subscribers of the communications system; forming a firstcollection, in particular, e.g., a list, of possible messages, which maybe sent by at least one of the ascertained subscribers via thecommunications medium; ascertaining messages sent via the communicationsmedium; evaluating the ascertained messages. During the evaluation ofthe ascertained messages, which, therefore, have actually been sent viathe communications medium, the first collection may be advantageouslyconsidered, which means that ascertained messages may be compared, forexample, to the first collection. This allows efficient monitoring ofthe data communications in the communications system; in particular, themonitoring not requiring any expensive, special hardware or complexsignal processing. On the contrary, the knowledge characterized by thefirst collection is advantageously used; the knowledge possibly beingavailable during the construction of the communications system and/orbeing ascertainable then or later without much effort.

“Subscriber” or “subscriber device” is presently understood as anytechnical device or any technical system, which is configured or suitedto enter into data communication with other subscribers via the (shared)communications medium, thus, for example, to send and receive messagesvia the communications medium to and from one or more other subscribers,respectively. If the communications system includes, for example, a CANbus, the above-mentioned subscriber and/or the subscriber device mayhave, for example, a CAN transceiver for data communications via the CANbus.

In further preferred specific embodiments, it is provided that themethod further include the following steps: a) ascertaining atransmission state of at least one ascertained subscriber, preferably,of a plurality of, or of all the ascertained subscribers; b) for the atleast one ascertained subscriber, preferably, for the plurality of, orall of the ascertained subscribers, ascertaining a second collection ofpossible messages, which may be sent via the communications medium, bythe at least one, or the plurality of, preferably, by all of theascertained subscribers, as a function of the specific transmissionstate of the ascertained subscriber in question; in particular, theevaluating of the ascertained messages being carried out as a functionof the second collection. This renders possible particularly precisemonitoring of the data communications.

In further preferred specific embodiments, the second collection isupdated, preferably repeatedly; in particular, the second collectionbeing updated a) periodically and/or b) as a function of a, preferably,current transmission state of the at least one ascertained subscriber,and/or c) as a function of at least one ascertained message.

In further preferred specific embodiments, it is provided that theevaluating include: in the ascertained messages, checking if at leastone message is present, which is not included in the second collection.This may indicate, for example, a manipulation attempt (e.g., injectionof the message by an attacker).

In further preferred specific embodiments, it is provided that theevaluating of the ascertained messages include: ascertaining a frequencyof the messages sent by at least one particular, ascertained subscriber(in particular, ascertaining the frequency of messages of the same type;in the case of CAN bus systems, e.g., ascertaining a frequency ofmessages having the same CAN ID).

In further preferred specific embodiments, it is provided that theevaluating of the ascertained messages additionally include thefollowing steps: comparing the ascertained frequency to a frequencyspecified for the particular, ascertained subscriber (and/or for therelevant message type (e.g., CAN ID); and, optionally, initiating anerror response, if the ascertained frequency does not agree with thefrequency specified for the particular, ascertained subscriber (and/orfor the message type in question).

In further preferred specific embodiments, it is provided that theevaluating additionally include: checking if the ascertained frequencyfalls below a specifiable, first threshold value and/or exceeds aspecifiable, second threshold value and/or is identical to zero; and,optionally, initiating an error response, if the ascertained frequencyfalls below the specifiable, first threshold value and/or exceeds thespecifiable, second threshold value and/or is identical to zero.

In further preferred specific embodiments, an error response maygenerally be initiated, e.g., if a collection is checked againstcommunications or messages on the network, and if, in this context,e.g., at least one anomaly is detected.

In further preferred specific embodiments, it is provided that themethod include the following steps: checking if all of the messagestransmittable by a particular subscriber are contained in theascertained messages; deducing a manipulation attempt, if not all of themessages transmittable by the particular subscriber are included in theascertained messages; in particular, deducing a manipulation attempt, ifnot all of the messages transmittable by the particular subscriber arecontained in the ascertained messages within a specifiable waiting time.In further preferred specific embodiments, the specifiable waiting timemay be monitored with the aid of a timer.

In further preferred specific embodiments, it is provided that themethod include the following steps: checking if messages transmittableby a particular subscriber are contained in the ascertained messages;deducing a manipulation attempt, if some, but not all of the messagestransmittable by the particular subscriber are included in theascertained messages. This advantageously allows, e.g., communicationsor messages actually occurring to be compared to expected communicationsor messages for each subscriber. If, e.g., all of the communications ofa subscriber are absent, this indicates its complete malfunction. Ifonly a portion of the communications of a subscriber are absent, thisindicates an attack (masquerade).

Further preferred specific embodiments relate to a device for monitoringdata communications in a communications system, which includes aplurality of subscribers and has a communications medium jointly usableby the subscribers; the device being configured to execute the followingsteps: ascertaining the subscribers of the communications system;forming a first collection of possible messages, which may be sent by atleast one of the ascertained subscribers via the communications medium;ascertaining messages sent via the communications medium; evaluating theascertained messages.

In further preferred specific embodiments, it is provided that thedevice be configured to execute the method in accordance with thespecific embodiments.

Further preferred specific embodiments relate to a subscriber or asubscriber device (e.g., CAN transceiver, in the case of a CAN bussystem) for a communications system, which has a shared communicationsmedium jointly usable by a plurality of subscribers; the subscriberhaving at least one device according to the specific embodiments.

Further preferred specific embodiments relate to a communicationssystem, which includes a (shared) communications medium jointly usableby a plurality of subscribers, as well as at least one subscriberaccording to the specific embodiments and/or at least one deviceaccording to the specific embodiments; in particular, the communicationssystem taking the form of a CAN (controller area network) system or CANFD (flexible data rate) system.

Further preferred specific embodiments relate to use of the methodaccording to the specific embodiments and/or of the device according tothe specific embodiments and/or of the subscriber according to thespecific embodiments and/or of the communications system according tothe specific embodiments, for monitoring the communications system for afault and/or for manipulation of at least one subscriber.

Further advantageous refinements of the present invention are describedherein.

The example embodiments according to the present invention mayadvantageously allow manipulation of the communications system and/or ofat least one subscriber to be detected efficiently, without theprovision of additional hardware, in particular, special hardware. Inparticular, this allows so-called man-in-the-middle attacks and/ormasquerading attacks to be detected.

Additional features, uses and advantages of the present invention ensuefrom the following description of exemplary embodiments of the presentinvention, which are illustrated in the figures. In this context, all ofthe described or illustrated features form the subject matter of thepresent invention, either alone or in any combination, irrespective oftheir combination, wording or representation in the description hereinand in the figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a simplified block diagram of a communications systemaccording to a specific embodiment of the present invention.

FIG. 2A shows a simplified flow chart of a method according to aspecific embodiment of the present invention.

FIG. 2B shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 2C shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 2D shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 2E shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 3 shows a simplified block diagram of a device according to aspecific embodiment.

FIG. 4 shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 5 shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 6 shows a simplified flow chart of a method according to a furtherspecific embodiment.

FIG. 7 shows a simplified flow chart of a method according to a furtherspecific embodiment.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

FIG. 1 schematically shows a simplified block diagram of acommunications system 200 according to a specific embodiment.Communications system 200 includes a shared communications medium(shared medium) 202 (that is, usable by a plurality of subscribers), viawhich a plurality of subscribers 210, 212, 214, 216 of communicationssystem 200 may enter into data communication with each other (forexample, sending and/or receiving messages via communications medium202). For example, communications system 200 may take the form of a CANor CAN FD system. Accordingly, communications medium 202 represents, byway of example, a CAN bus, and subscribers 210, 212, 214, 216 areconfigured to communicate with each other via the CAN bus.

In particularly preferred specific embodiments of the present invention,a method for monitoring the data communications in communications system200 is provided. To this end, FIG. 2A schematically shows a simplifiedflow chart of a specific embodiment of the method. In a first step 100,(in particular, authorized) subscribers 210, 212, 214, 216 ofcommunications system 200 are ascertained. This is used, for example, todetermine which subscribers are present, and from which subscribersmessages accordingly sent within the scope of the data communications tobe monitored, are to be expected. In a subsequent step 110, a firstcollection S1 of possible messages, which may be sent via communicationsmedium 202 by at least one of subscribers 210, 212, 214, 216, isgenerated, e.g., in the form of a list or table or the like. In thefollowing step 120, messages sent via communications medium 202 areascertained, and in step 130, the ascertained messages are evaluated. Inparticularly preferred specific embodiments, the evaluation according tostep 130 may take place in view of first collection S1.

In further preferred specific embodiments, first collection S1 mayconstitute a so-called positive list or “white list,” that is, a list ofall possible messages, which may be sent by at least one of theascertained, authorized subscribers via communications medium 202. If,for example, in step 130, it is then determined that the messagesascertained in step 120 include at least one message, which is notcontained in first collection S1, then manipulation of communicationssystem 200 or of at least one subscriber may be deduced.

In other words, during evaluation 130 of the ascertained messages,which, therefore, have actually been sent via communications medium 202,first collection S1 may be taken into consideration, which means thatascertained messages may be compared, for example, to first collectionS1. This allows efficient monitoring of the data communications incommunications system 200; the monitoring not requiring, in particular,any expensive, special hardware or complex signal processing. On thecontrary, the knowledge characterized by first collection S1 isadvantageously used; the knowledge possibly being available during theconstruction of communications system 200, and/or being ascertainablethen or later without much effort.

In particularly preferred specific embodiments, a device 300, which isconfigured to execute the method in accordance with the specificembodiments, is integrated in at least one of subscribers 210.Presently, this is indicated schematically in FIG. 1 for firstsubscriber 210.

In further preferred specific embodiments, the ascertaining of thesubscribers according to step 100 from FIG. 2A may be accomplished, forexample, by monitoring the communications on communications medium 202;the monitoring preferably taking place in an operating phase ofcommunications system 200, in which it may be assumed that nomanipulation is currently being carried out or is present.Alternatively, or in addition, the ascertaining of the subscribersaccording to step 100 from FIG. 2A may also be carried out, for example,with the aid of a configuration, in which the authorized subscribers arespecified to device 300.

“Subscriber” or “subscriber device” is presently understood as anytechnical device or any technical system, which is configured or suitedto enter into data communication with other subscribers via sharedcommunications medium 202, thus, for example, to send and receivemessages via communications medium 202 to and from one or more othersubscribers, respectively. If communications system 200 includes, forexample, a CAN bus, as is presently the case with reference to FIG. 1,the above-mentioned subscriber and/or the subscriber device may have,for example, a CAN transceiver for the data communications via the CANbus. Therefore, the above-mentioned messages may be distinguished in anappropriate manner, for example, using their CAN ID.

In further preferred specific embodiments, it is provided that themethod further include the following steps: ascertaining a transmissionstate of at least one ascertained subscriber, preferably, of a pluralityof, or of all the ascertained subscribers; and then, for the at leastone ascertained subscriber, preferably, for the plurality of, or all ofthe ascertained subscribers, ascertaining a second collection S2 ofpossible messages, which may be sent via the communications medium bythe at least one, or the plurality of, preferably, all of theascertained subscribers, as a function of the specific transmissionstate of the ascertained subscriber in question; in particular, theevaluating of the ascertained messages being carried out as a functionof second collection S2. This renders possible particularly precisemonitoring of the data communications. In further preferred specificembodiments, the specific embodiment mentioned above, and/or individualsteps from it, may also be combined in an advantageous manner with thespecific embodiment described above with reference to FIG. 2A.

This is illustrated exemplarily in the simplified flow chart accordingto FIG. 2B. In step 100, the subscribers of communications system 200are initially ascertained; in step 102, a transmission state of at leastone ascertained subscriber, preferably, of a plurality of, or of allascertained subscribers 210, 212, 214, 216, is ascertained; in step 104,second collection S2 of possible messages, which are transmittable byascertained subscribers 210, 212, 214, 216 via communications medium202, is ascertained as a function of the specific transmission state ofthe ascertained subscriber 210, 212, 214, 216 in question; in step 120,messages sent via communications medium 202 are ascertained; in step130, the messages ascertained in step 120 are evaluated; in particular,in the specific embodiment according to FIG. 2B, the evaluating 130 ofthe ascertained messages provides for the evaluating of the ascertainedmessages as a function of second collection S2. This advantageouslyallows the messages ascertained in step 120 to be compared to the secondcollection S2. Since, in contrast to the first collection S1 alreadydescribed above, second collection S2 additionally takes into accountspecific transmission states of the ascertained subscribers 210, 212,214, 216 in question, it accordingly has more specific data aboutcurrently permissible messages to be sent, than first collection S1.Accordingly, an even more exact check of communications system 200 forinstances of manipulation may be carried out, using second collectionS2.

In further specific embodiments, second collection S2 may also bereferred to as a white list specific to the transmission state, or as a“selective” white list, since it only contains messages, which may besent by corresponding, authorized subscribers in view of their specific,current transmission state, but not, for example, other messages, whichmay indeed be sent, in principle, by an authorized subscriber, but thecurrent transmission of which is ruled out due to the currenttransmission state of the subscriber in question.

For example, in further specific embodiments, first collection S1 mayinclude four (CAN) communications for a subscriber considered, e.g.,having the CAN ID's 0x222, 0x560, 0x276 and 0x223, whereas the secondcollection S2 for the considered subscriber, formed in a currenttransmission state, only includes three (CAN) communications having,namely, the CAN ID's 0x222, 0x560 and 0x276. If, e.g., a further CANcommunication having the CAN ID 0x223 is now received, then manipulationis advantageously detected.

In further specific embodiments, for example, second collection S2 forsubscriber 212 may contain a total of three messages, namely, a firstCAN communication having the first CAN ID 0x222, a second CANcommunication having the second CAN ID 0x560, and a third CANcommunication having the third CAN ID 0x276. Accordingly, these threeCAN communications may be sent via communications medium 202 in thecurrent transmission state of subscriber 212. If, for example, the stepof evaluation 130 (FIG. 2B) reveals that a CAN communication having theCAN ID 0x223 is included among the messages ascertained in step 120,then an instance of manipulation of communications system 200 and/or ofsubscriber 212 may be deduced accordingly.

In further preferred specific embodiments, second collection S2 isupdated, preferably repeatedly, cf. optional step 104′ from FIG. 2B; inparticular, the second collection S2 being updated a) periodicallyand/or b) as a function of a, preferably, current transmission state ofthe at least one ascertained subscriber, and/or c) as a function of atleast one ascertained message (e.g., from step 120). In this manner, itis ensured that the inventory of currently permissible messages ofcollection S2 is always current, which means that particularly accuratemonitoring may take place.

In further preferred specific embodiments, it is provided that theevaluating 130 (FIG. 2B, 2C) include: in the messages ascertained (instep 120), checking 132 (FIG. 2C) if at least one message is present,which is not included in second collection S2. In this case, forexample, an error response 132′ may be initiated, for example, thesignaling of an irregular state or a suspicion of a manipulation attemptat a further unit, for example, at another or all of the othersubscribers of communications system 200, and/or at an external unit 350(FIG. 3).

In further preferred specific embodiments, cf. FIG. 2D, it is providedthat the evaluating 130 of the ascertained messages include:ascertaining 134 a frequency of the messages sent by at least oneparticular, ascertained subscriber 214 (FIG. 1). In further preferredspecific embodiments, it is provided that the evaluating 130 of theascertained messages additionally include the following steps: comparing134′ the ascertained frequency to a frequency specified for theparticular, ascertained subscriber 214; and, optionally, initiating 134″an error response, if the ascertained frequency does not agree with thefrequency specified for the particular, ascertained subscriber 214. Infurther specific embodiments, it is particularly preferable for theabove-described ascertainment 134 of the frequency and the furtherevaluation according to FIG. 2D to be combined with the specificembodiments according to FIG. 2A and/or 2B and/or 2C.

In further preferred specific embodiments, cf. FIG. 2E, it is providedthat the evaluating 130 additionally include: checking 136 if theascertained frequency falls below a specifiable, first threshold valueand/or exceeds a specifiable, second threshold value and/or is identicalto zero; and, optionally, initiating an error response 136′, if theascertained frequency falls below the specifiable, first threshold valueand/or exceeds the specifiable, second threshold value and/or isidentical to zero. In this manner, manipulation attempts may also beascertained accurately in an advantageous manner, for example, in thecomplete absence of messages of a relevant subscriber contained in thefirst and/or second collection S1, S2, the deactivation, by an attacker,of a subscriber actually authorized and/or other measures of anattacker, which have an effect on a frequency of the messages sent bythe authorized subscriber.

FIG. 3 schematically shows a simplified block diagram of a device 300 aaccording to a specific embodiment, which is configured to execute atleast one method for monitoring the data communications incommunications system 200 in accordance with the specific embodiments.For example, device 300 according to FIG. 1 may have the configuration300 a according to FIG. 3. Device 300 a includes a processing unit 302,which has, for example, a microprocessor and/or digital signal processor(DSP) and/or microcontroller and/or an application-specific, integratedcircuit (ASIC) and/or a programmable logic chip, in particular, an FPGA(field programmable gate array), or the like, and/or a combination ofthem. Device 300 a further includes a storage unit 304, which preferablyhas a volatile memory 304 a, in particular, a main memory store (RAM)and/or a nonvolatile memory 304 b, in particular, a flash EEPROM.Storage unit 304 is configured to at least temporarily store dataprocessed during the execution of the method according to the specificembodiments, for example, data of ascertained subscribers 210, . . . ,216 and/or data of first collection S1 and/or data of second collectionS2 and/or ascertained messages and/or data, which are used forevaluation 130, or which are retained during evaluation 130.

It is also particularly preferable for storage unit 304 to be configuredto store at least one computer program PRG at least temporarily;computer program PRG being designed to be executed by processing unit302 and, in this manner, e.g., to implement a method according to thespecific embodiments, in device 300 a.

In further, preferred specific embodiments, device 300 a may also havean optional communications interface 306, which allows, for example,messages to be sent and/or received via communications medium 202. Infurther preferred specific embodiments, in addition to the datacommunications regarding communications medium 202, communicationsinterface 306 may also, as an option, be configured to allow datacommunication of device 300 a with another unit 350, in particular,outside of communications system 200; for example, the error responsesdescribed above, or data D derived from them, being able to be sent tothe unit.

Further preferred specific embodiments relate to a subscriber 210, 212,214, 216 or a subscriber device for communications system 200. One ormore devices 300, 300 a according to the specific embodiments maypreferably be provided in at least one subscriber 210, 212, 214, 216 ofcommunications system 200, which means that comprehensive and also, inparticular, mutual monitoring by subscribers 210, 212, 214, 216 on thebasis of the principle according to the specific embodiments is renderedpossible.

Further preferred specific embodiments relate to a communications system200, which includes a communications medium 202 jointly usable by aplurality of subscribers (that is, shared among the subscribers), aswell as at least one subscriber 210 according to the specificembodiments and/or at least one device 300, 300 a according to thespecific embodiments; in particular, the communications system takingthe form of a CAN (controller area network) system or CAN FD (flexibledata rate) system. In further preferred specific embodiments,communications system 200 may also operate according to a communicationsstandard different from the CAN or CAN FD standard mentioned above byway of example. In further preferred specific embodiments, it is alsoconceivable to provide at least one device 300, 300 a according to thespecific embodiments, in communication system 200; in further specificembodiments, in departure from the configuration exemplarily shown inFIG. 1, it being possible to position the at least one device 300, 300 aoutside of a subscriber, for example, as a separate, external device,which is connected to communications medium 202.

Further preferred specific embodiments relate to use of the methodaccording to the specific embodiments and/or of device 300, 300 aaccording to the specific embodiments and/or of subscriber 210, 212,214, 216 according to the specific embodiments and/or of communicationssystem 200 according to the specific embodiments, for monitoringcommunications system 200 for a fault and/or for manipulation of, inparticular, at least one subscriber.

In the following, further advantageous specific embodiments aredescribed with reference to the flow charts according to FIGS. 4, 5, 6,and 7.

FIG. 4 schematically shows a functional sequence according to furtherpreferred specific embodiments, in which a transmission state isascertained and second collection S2, which may be regarded as a“selective white list,” is updated; compare the specific embodimentdescribed above with reference to step 104′ of FIG. 2B, as well. In step400 according to FIG. 4, the determination of the transmission state ofat least one subscriber 210 begins. In step 402, the data communicationson communications medium 202 are evaluated, for example, by device 300(FIG. 3).

As an option, sensor data of, for example, device 300 are also evaluatedin step 402. In further preferred specific embodiments, e.g., atransmission state, such as power management, may be ascertained byanalyzing the network (e.g., by evaluating contents of communications),and/or using other information, which device 300 may obtain throughsubscriber 210, e.g., using internally available data, which were readin by communications system 200 via an ADC (analog-to-digital converter)input.

Then, in step 404, the respective transmission states are ascertainedfor each subscriber 210, 212, 214, 216 of communications system 200. Infurther preferred specific embodiments, in step 404, at least one of thefollowing elements may be considered for ascertaining the transmissionstate of a specific subscriber:

1. Energy management (power management) and/or consideration ofdifferent operating states, in particular, energy-saving states, ofsubscribers. For example, some subscribers may be switched off, while atthe same time, other subscribers of the communications system areswitched on and actively participate in the data communications over thecommunications system. In applications in the automotive industry, thisapplies, for example, to subscribers and/or to control units containingthe subscribers, which are only active, for example, when the ignitionof the motor vehicle is switched on. A subscriber, which is currentlydeactivated, will obviously not send any messages over thecommunications system.

2. Network management, partial disconnection of network segments and/orof segments of communications system 200 (partial networking). Infurther specific embodiments, it is possible to control the transmissionstate of a subscriber, for example, using messages, which are sent tothe subscriber in question by another subscriber. The control may have,as an object, e.g., temporary deactivation of the subscriber in questionand/or inducing the subscriber not to send one or some specifiablemessages anymore or for a specifiable period of time, and the like.

3. Diagnostic commands: using diagnostic protocols or diagnosticcommands, it is possible to control a transmission state of a subscriberin question, e.g., by resetting it to a specifiable operating state orsystem state, for example, through activation of a boot loader, in whichspecifiable operating state or system state not all of the messages or,at least temporarily, no more messages at all, are sent by thesubscriber in question. In this connection, in further specificembodiments, a service for communications control according to ISO 14229may be used, for example, in order to at least temporarily activate ordeactivate particular messages to be sent by a subscriber in question.

In the determination of the transmission state of a subscriber inquestion, consideration of one or more of the above-mentioned aspects,which is possible in further specific embodiments, allows for especiallyaccurate monitoring of the data communications in communications system200. In further specific embodiments, it is particularly preferable toascertain the transmission states of all subscribers of communicationssystem 200 in a corresponding manner, in particular, in view of at leastone of the above-mentioned aspects 1., 2., 3., or of at least parts ofthem.

Finally, in the method according to FIG. 4, the selective white list,for example, in the form of second collection S2, is formed and/orupdated in step 406, on the basis of the data ascertained in steps 402,404 and, optionally, further data, provided that it was alreadygenerated beforehand (or, in accordance with a further specificembodiment, was already predetermined by configuration). In furtherpreferred specific embodiments, for example, configuration data for atleast one subscriber of the communications system may also be used forforming the selective white list or second collection S2. For theexample used presently, an example of this is to additionallyincorporate preconfigured CAN matrices of the specific subscribers forascertaining second collection S2; the preconfigured CAN matricesrepresenting the data about which message (for example, having which CANID) should be sent by which subscriber at which time and/or at whichfrequency.

In further preferred specific embodiments, for ascertaining secondcollection S2, it may also be taken into consideration, when themessages defined by the configuration (e.g., CAN matrices) are sent, inparticular, as a function of which transmission state of the subscriberin question.

In further preferred specific embodiments, communication relationshipsbetween a plurality of subscribers 210, 212 may also be advantageouslyconsidered in the determination of second collection S2. For example,one or more possible transmission states of a first subscriber may beinfluenced by one or more possible transmission states of a secondsubscriber and/or by messages sent or not sent by the second subscriber.This interaction may also be considered in an advantageous manner in thegeneration of second collection S2, which means that complex usagescenarios may also be reproduced, such as the forwarding of messagesamong several subscribers of communications system 200 or betweendifferent communications systems or networks. The above-describedconsideration of this interaction may allow the data communications incommunications system 200 to be monitored even more precisely.

In further preferred specific embodiments of the method according toFIG. 4, after the execution of step 406, the method branches back againto step 402, cf. arrow 406 a, so that above-mentioned operations 402,404, 406 are repeated. It is particularly preferable for theseoperations to be continually repeated or at least occasionally repeatedin a periodic manner, in order to be able to supply correct data in theselective white list (corresponds to second collection S2) at any time.In particular, this may also allow sudden or dynamic changes of atransmission state (occurring during the operation of communicationssystem 200 and/or of a subscriber) to be taken into consideration.

In further specific embodiments, after step 406, it is also possible tobranch directly to step 406 b, which characterizes an end of thedetermination or updating of the transmission state.

In the following, e.g., the detection of masquerade attacks according tofurther preferred specific embodiments is described with reference tothe flow chart shown in FIG. 5. The method begins in step 500. In step502, the data communications on communications medium 202 (that is, themessages sent on communications medium 202) are ascertained, and in thefollowing step 504, it is checked if a considered message of themessages ascertained beforehand in step 502 is included in the selectivewhite list, that is, in second collection S2. If yes, then the methodbranches to step 506 (end), cf. arrow 504 a. If no, then the methodbranches from step 504, via arrow 504 b, to step 508, in which thepresence of a masquerade attack is deduced and a corresponding errorresponse is initiated (for example, signaling D a detected manipulationattempt to an external unit 350 (FIG. 3)). The basis of this is theconsideration, that if an ascertained message is not contained in secondcollection S2, then it has been fed into communications medium 202 by anunauthorized attacker. In this respect, step 508 according to FIG. 5corresponds, for example, to step 132′ according to FIG. 2C.

In further preferred specific embodiments, steps 502, 504 according toFIG. 5 include ascertaining each message sent via communications medium202 and checking each of the ascertained messages for its presence inselective white list S2.

In further preferred specific embodiments, the principle according tothe above-described specific embodiments, in particular, the use of theselective white list, that is, of second collection S2, may beadvantageously used to supplement and/or improve other methods formonitoring the data communications in the communications system, whichare possibly executed simultaneously to the above-described methods, andwhich are based, in particular, on a presence of messages and/or afrequency, at which messages are sent by a subscriber in question. Theabove-mentioned principle is also applicable to further methods, whichuse the determination of a time lapse (timeout) in the datacommunications via communications system 200, and/or to methods, whichmonitor the proper routing of messages and the violation of it (routingviolation).

In particular, according to further advantageous specific embodiments,the principle of the specific embodiments may be used to reduce a falsepositive rate of the other methods mentioned above, based on the use ofthe selective white list, that is, of second collection S2. According toinvestigations of the applicant, the other methods mentioned above tendto generate false-positive status messages, in particular, intransmission states of considered subscribers of communications system200, in which transmission of particular messages is completelydeactivated. In view of the second collection S2 according to thespecific embodiments, the number of false-positive status messages ofthe other methods mentioned above may be advantageously reduced, forexample, by deactivating the other methods at least temporarily forspecifiable periods of time and/or to suppress such false-positivestatus messages.

Therefore, in the following, aspects of further specific embodiments,which address the above-mentioned disadvantages of the other methods,are described by way of example, with reference to the flow chartaccording to FIG. 6. The method exemplarily described in light of FIG. 6begins with step 600. In step 602, at least one of the other methods(for example, a monitoring method, which carries out monitoring as afunction of the frequency of a particular message of a subscriber) isexecuted. In step 604, it is checked if a report or a status messagepossibly generated by the other method in step 602 relates to a message,which was ascertained in accordance with the principle of the specificembodiments (cf., for example, step 120 from FIG. 2A) and is alsocontained in second collection S2 (selective white list). If this is thecase, cf. arrow 604 a, the method branches to step 606, which defines anend of the method. However, if this is not the case, that is, the reportor the status message from step 602 relates to a message, which is notcontained in selective white list S2, then the method branches from step604, via arrow 604 b, to step 608, in which the status message or thereport from step 602 is suppressed, which means that, in particular, anunwanted false-positive status message is prevented. The method thenbranches from step 608 to step 606 (end). It may be discerned from FIG.6, that the status message or a report of the other method, asconstituted in step 602, is not suppressed, in particular, cf. arrow 604a, if it relates to a message contained in selective white list S2.

In the following, aspects of further preferred specific embodiments,which relate to detecting the unavailability of a subscriber ofcommunications system 200, are described with reference to thesimplified flow chart according to FIG. 7. The method begins with step700. In optional step 702, a method, as was exemplarily described abovewith reference to step 602 in FIG. 6, is executed. Alternatively, themethod according to FIG. 7 may also begin with step 704, that is,without carrying out step 702. In step 704, it is checked if allmessages transmittable by a particular subscriber are included among theascertained messages (cf. step 120 from FIG. 2A). If yes, the methodbranches, via arrow 704 a, to step 706, in which the method isterminated. In this case, it is deduced that all expected messages ofthe particular subscriber considered have appeared at least one timeeach, and that therefore, no manipulation attempt is present.

However, if step 704 reveals that at least one of the messagestransmittable by the particular subscriber is not included in theascertained messages, then the method preferably branches, via arrow 704b, to step 708, in which it is checked if a threshold value of a timelapse (timeout) regarding the receipt of the message in question hasbeen reached. If no, cf. arrow 708 a, the method branches to block 706,as well. If yes, cf. arrow 708 b, the method branches to step 710, inwhich the presence of a manipulation attempt or attack, in particular, amasquerade attack, is deduced, and in which in some instances, an errorresponse is optionally initiated. For, in this connection, it may beinferred that an attacker has succeeded in manipulating the particularsubscriber, for example, in deactivating it at least temporarily, forexample, in order to falsify messages to be sent originally by theparticular subscriber. Then, the method branches likewise to end block706 (arrow 710 b).

In further preferred specific embodiments, second collection S2 mayoptionally be taken into account in step 704 during the checking, whichfurther increases the precision during the monitoring.

In further preferred specific embodiments, it is provided that themethod include the following steps: checking if messages transmittableby a particular subscriber are contained in the ascertained messages;deducing a manipulation attempt, if some, but not all of the messagestransmittable by the particular subscriber are included in theascertained messages. This advantageously allows, e.g., communicationsor messages actually occurring to be compared to expected communicationsor messages for each subscriber. If, e.g., all of the communications ofa subscriber are absent, this indicates its complete malfunction. Ifonly a portion of the communications of a subscriber are absent, thisindicates an attack (masquerade). In this connection, in furtherpreferred specific embodiments, data of second collection S2 mayoptionally be considered during the checking, which further increasesthe precision during the monitoring.

In further, particularly preferred specific embodiments, the principleaccording to the specific embodiments is applied in real time; thus,data communications of communications system 200 occurring in real timeare monitored. Alternatively, or in addition, the principle according tothe specific embodiments may also be used for a forensic analysis ofcommunications; the corresponding data, which are to be evaluated, beingpresent, for example, in the form of one or more log files of acommunications system or of at least one subscriber.

In further preferred specific embodiments, for example, the followingscenarios of application are possible with reference to the schematicblock diagram according to FIG. 1. For the following description, it isassumed, for example, that subscribers 210, 212, 214, 216 are eachassigned to control units of a motor vehicle, and that communicationssystem 200 is a communications system of the motor vehicle, for example,a CAN bus. For the following description, it is further assumed thatsubscriber 216 is a target of a planned masquerade attack, while theprinciple according to the specific embodiments is applied, by way ofexample, by the device 300 integrated in subscriber 210. In the presentexample, it is further assumed that the attacker is manipulatingsubscriber 214, in particular, using it to inject messages intocommunications system 200, which are normally sent by the othersubscriber 216, and doing this in transmission states, in which othersubscriber 216 would not send such messages, for example, based on itspossible transmission states. A reason for this may be, for example, aregular transmission state of subscriber 216, in which it does not sendany messages and/or does not send the corresponding messages, and/or anattack with the aid of further subscriber 214.

The methods and/or variants described above with reference to FIG. 2Athrough FIG. 7, and/or combinations of them, may be advantageouslyexecuted or used by device 300, in order to detect the masquerade attackthrough subscriber 214.

The principle according to the specific embodiments advantageouslyallows manipulation of the communications system and/or of at least onesubscriber to be detected efficiently, without the provision ofadditional hardware, in particular, special hardware. In particular,this allows so-called man-in-the-middle attacks and/or masqueradingattacks to be detected. Since the principle according to the specificembodiments is based on the consideration of ascertained messages andthe evaluation of these messages, and not, for instance, on particularphysical characteristics of one or more subscribers, a particularly lowfalse-positive rate may be obtained, that is, a particularly low numberof regular events mistakenly judged as a manipulation attempt, using theprinciple according to the specific embodiments. It is particularlypreferable for the principle according to the specific embodiments to beused in a communications system of a vehicle, in particular, a motorvehicle, but it is not limited to this area. In addition, the principleaccording to the specific embodiments may be combined with other methodsfor monitoring the data communications in a communications system, whichmeans that in some instances, a further increase in the precision and/orreliability is yielded, for example, due to the option of checking therespective results of the two methods for plausibility.

In further specific embodiments, ascertained messages may be evaluatedand/or analyzed in an advantageous manner, using first collection S1and/or second collection S2; for example, the following categories beingconceivable: expected messages, unexpected messages, expected, butnonappearing messages. In this manner, particularly precise and detailedmonitoring of the data communications in communications system 200 isrendered possible. In further preferred specific embodiments, theabsence of expected messages and/or a frequency of messages mayadditionally be taken into account, which means that further anomaliesin the data communications may be ascertained. According to furtherspecific embodiments, attacks or instances of manipulation ofcommunications system 200 or of at least one subscriber 210, . . . , 216may be deduced from such anomalies. It is particularly advantageous thatmanipulation may be deduced, when in accordance with the transmissionstates considered, only some of all the messages transmittable by asubscriber are sent and/or ascertained.

What is claimed is:
 1. A method for monitoring data communications in acommunications system, which includes a plurality of subscribers and acommunications medium jointly usable by the subscribers, the methodcomprising the following steps: ascertaining the subscribers of thecommunications system; forming a first collection of possible messages,which may be sent by at least one of the ascertained subscribers via thecommunications medium; ascertaining messages sent via the communicationsmedium; and evaluating the ascertained messages.
 2. The method asrecited in claim 1, further comprising the following steps: ascertaininga transmission state of at least one ascertained subscriber;ascertaining a second collection of possible messages, which may be sentvia the communications medium by the at least one subscriber, as afunction of a specific transmission state of the at least oneascertained subscriber; wherein the evaluating of the ascertainedmessages is carried out as a function of the second collection.
 3. Themethod as recited in claim 2, wherein the at least one ascertainedsubscriber includes a plurality of the subscribers.
 4. The method asrecited in claim 2, wherein the at least one ascertained subscriberincludes all of the ascertained subscribers.
 5. The method as recited inclaim 2, wherein the second collection is updated repeatedly, the secondcollection being updated a) periodically and/or b) as a function of acurrent transmission state of the at least one ascertained subscriber,and/or c) as a function of at least one ascertained message.
 6. Themethod as recited in claim 2, wherein the evaluating includes checkingif, in the ascertained messages, at least one message is present, whichis not contained in the second collection.
 7. The method as recited inclaim 1, wherein the evaluating of the ascertained messages includesascertaining a frequency of the messages sent by at least oneparticular, ascertained subscriber.
 8. The method as recited in claim 7,wherein the evaluating of the ascertained messages further includes:comparing the ascertained frequency to a frequency specified for theparticular, ascertained subscriber.
 9. The method as recited in claim 8,wherein the evaluating of the ascertained messages further includes:initiating an error response if the ascertained frequency does not agreewith the frequency specification for the particular, ascertainedsubscriber.
 10. The method as recited in claim 9, wherein the evaluatingfurther includes: checking if the ascertained frequency falls below aspecifiable, first threshold value and/or exceeds a specifiable, secondthreshold value and/or is identical to zero; and initiating an errorresponse if the ascertained frequency falls below the specifiable, firstthreshold value and/or exceeds the specifiable, second threshold valueand/or is identical to zero.
 11. The method as recited in claim 1,further comprising the following steps: checking if all of the messagestransmittable by a particular subscriber are included in the ascertainedmessages; deducing a manipulation attempt, if not all of the messagestransmittable by the particular subscriber are included in theascertained messages, the deducing including deducing the manipulationattempt, if not all of the messages transmittable by the particularsubscriber are contained in the ascertained messages within aspecifiable waiting time.
 12. The method as recited in claim 1, furthercomprising: checking if messages transmittable by a particularsubscriber are contained in the ascertained messages; and deducing amanipulation attempt, if some, but not all of the messages transmittableby the particular subscriber are included in the ascertained messages.13. A device for monitoring data communications in a communicationssystem, which includes a plurality of subscribers and a communicationsmedium jointly usable by the subscribers, the device configured to:ascertain the subscribers of the communications system; form a firstcollection of possible messages, which may be sent by at least one ofthe ascertained subscribers via the communications medium; ascertainmessages sent via the communications medium; and evaluate theascertained messages.
 14. The device as recited in claim 13, wherein thedevice is further configured to: ascertain a transmission state of atleast one ascertained subscriber; and ascertain a second collection ofpossible messages, which may be sent via the communications medium bythe at least one subscriber, as a function of a specific transmissionstate of the at least one ascertained subscriber; wherein the evaluationof the ascertained messages is carried out as a function of the secondcollection.
 15. A subscriber for a communications system which includesa communications medium jointly usable by a plurality of subscribers,the subscriber having at least one device for monitoring datacommunications in the communications system, the device configured to:ascertain the subscribers of the communications system; form a firstcollection of possible messages, which may be sent by at least one ofthe ascertained subscribers via the communications medium; ascertainmessages sent via the communications medium; and evaluate theascertained messages.
 16. A communications system, comprising: acommunications medium jointly usable by a plurality of subscribers; andat least one device for monitoring data communications in thecommunications system, the device configured to: ascertain thesubscribers of the communications system; form a first collection ofpossible messages, which may be sent by at least one of the ascertainedsubscribers via the communications medium; ascertain messages sent viathe communications medium; and evaluate the ascertained messages;wherein the communications system is a CAN system or a CAN FD system.17. The method as recited in claim 1, wherein the method is used tomonitor for a fault or a manipulation of at least one of thesubscribers.